{"id":14713,"date":"2010-12-20T10:24:23","date_gmt":"2010-12-20T15:24:23","guid":{"rendered":"https:\/\/setsail.com\/?p=14713"},"modified":"2010-12-20T23:57:03","modified_gmt":"2010-12-21T04:57:03","slug":"wifi-security-int-he-firesheep-era","status":"publish","type":"post","link":"https:\/\/setsail.com\/wifi-security-int-he-firesheep-era\/","title":{"rendered":"WiFi Security In The Firesheep Era"},"content":{"rendered":"<p>A few weeks ago <a href=\"http:\/\/www.panbo.com\/archives\/2010\/11\/firesheep_cometh_is_open_wifi_safe_anymore.html\" target=\"_blank\">Ben Ellison had a story<\/a> on a program called &#8220;Firesheep&#8221; which makes hacking WiFi signals much easier. Recently <a href=\"http:\/\/www.morganscloud.com\/2010\/12\/04\/safe-wifi-access\/\" target=\"_blank\">John Harries had an even better discussion<\/a> on his website (be sure to read the comments on both). This issue is of concern to anyone who uses WiFi to send data they would not otherwise want in the hands of someone intent on no good.<\/p>\n<p>Having an expert in this field in our own back yard, Mike Parker, we asked Mike for his take on the Firesheep problem. Mike&#8217;s comments follow:<\/p>\n<p><!--more--><\/p>\n<blockquote>\n<blockquote><p>Good discussion (Mike is referring to the John Harries article).<\/p><\/blockquote>\n<\/blockquote>\n<blockquote>\n<blockquote><p>Most of the discussion focuses on the un-encrypted Wi-Fi over-the-air radio link, and this is a real threat. I always assume that anything sent over such a link may be intercepted. \u00a0Sometimes things go over this link without you realizing it. \u00a0For example, I found that my computer email was sending a default request to check all my email accounts every 10 minutes. \u00a0That request included my mail server&#8217;s address, my user name and my password UNENCRYPTED.<\/p><\/blockquote>\n<\/blockquote>\n<blockquote>\n<blockquote><p>Apparently, with the release of Firesheep, attacks on un-encrypted Wi-Fi links are trivial. \u00a0See:<\/p><\/blockquote>\n<\/blockquote>\n<blockquote>\n<blockquote><p><a href=\"http:\/\/www.computerworld.com\/s\/article\/9193201\/How_to_protect_against_Firesheep_attacks\" target=\"_blank\">http:\/\/www.computerworld.com\/s\/article\/9193201\/How_to_protect_against_Firesheep_attacks<\/a><\/p><\/blockquote>\n<\/blockquote>\n<blockquote>\n<blockquote><p>The computers at the marina end of the link are also an area of risk. \u00a0If I were a criminal, I might get a job there. \u00a0Of course, getting a job at a phone company or a company that routes internet traffic might be a more lucrative alternative.<\/p><\/blockquote>\n<\/blockquote>\n<blockquote>\n<blockquote><p>The advice to use any security services that your bank, etc. offers is good. \u00a0HTTPS helps if the web site supports it. \u00a0Note that many sites only encrypt some things in the exchange with the web site. \u00a0Apparently many sites only encrypt the initial login, and not the data that follows. \u00a0The blog&#8217;s reference to:<\/p><\/blockquote>\n<\/blockquote>\n<blockquote>\n<blockquote><p><a href=\"https:\/\/www.eff.org\/https-everywhere\" target=\"_blank\">https:\/\/www.eff.org\/https-everywhere<\/a> appears to be an excellent start if you use the Firefox browser.<\/p><\/blockquote>\n<\/blockquote>\n<blockquote>\n<blockquote><p>I tend to trust an external data connection directly to the phone network. \u00a0The phone system (like GSM) generally has security protection built in and you can hope it is turned on by the phone company. \u00a0\u00a0Also the equipment required for hacking the phone network is less available than Wi-Fi equipment. \u00a0I believe I told you about the Ericcson W35 equipment we are buying for Avatar. \u00a0That hooked to GSM plus WPA2 for our internal Wi-Fi is reasonably secure for now I think.<\/p><\/blockquote>\n<\/blockquote>\n<blockquote>\n<blockquote><p>We have a Wi-Fi access point in the boat for internal use by laptops, etc. \u00a0We have turned on WAP2 encryption. \u00a0That protects us from someone nearby sniffing our internal network. \u00a0Of course, it doesn&#8217;t protect anything that goes outside the internal boat network.<\/p><\/blockquote>\n<\/blockquote>\n<blockquote>\n<blockquote><p>My office runs both hardware and software VPN. \u00a0The goal is to keep anyone in between in the phone network (which is not usually encrypted internally) or any of the internet routers (whose data streams are typically not encrypted) from seeing anything other than an encrypted data stream that goes point-to-point from my terminal to my work network. \u00a0The VPN software and hardware has not been trivial to set up correctly or totally bug free.<\/p><\/blockquote>\n<\/blockquote>\n<blockquote>\n<blockquote><p>None of this protects you if the right kind of malware gets into a computer on your private network. \u00a0Once the malware is installed, it can send (and receive) information to\/from computers outside your VPN network and you are doomed. \u00a0<strong>So be careful about attaching potentially infected laptops to your boat network <\/strong>(our emphasis)<strong>.<\/strong><\/p><\/blockquote>\n<\/blockquote>\n<blockquote>\n<blockquote><p>Remember that the VPN services are encrypting stuff between your computer and their servers. \u00a0That protects you from someone intercepting your over-the-air link or unencrypted phone\/internet traffic. \u00a0But it does not protect you from the VPN service itself. \u00a0They are installing and controlling software inside your computer. \u00a0So you MUST TRUST THEM. \u00a0If I were the Russian mafia, I would be setting up sites like this. \u00a0I have no reason to believe that there is a problem, but just because I&#8217;m paranoid doesn&#8217;t mean they aren&#8217;t out to get me \ud83d\ude42<\/p><\/blockquote>\n<\/blockquote>\n<blockquote>\n<blockquote><p>With firesheep on the loose, I suspect we are going to all learn a lot about wireless security and VPN in the coming months.<\/p><\/blockquote>\n<\/blockquote>\n<p>This story is going to become more \u00a0interesting. We will keep you posted on what we learn.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A few weeks ago Ben Ellison had a story on a program called &#8220;Firesheep&#8221; which makes hacking WiFi signals much <a class=\"read-more\" href=\"https:\/\/setsail.com\/wifi-security-int-he-firesheep-era\/\">&#8230;Read More<\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[92,91],"class_list":["post-14713","post","type-post","status-publish","format-standard","hentry","category-dashew-blog","tag-firesheep","tag-wifi-security"],"_links":{"self":[{"href":"https:\/\/setsail.com\/wp-json\/wp\/v2\/posts\/14713"}],"collection":[{"href":"https:\/\/setsail.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/setsail.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/setsail.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/setsail.com\/wp-json\/wp\/v2\/comments?post=14713"}],"version-history":[{"count":0,"href":"https:\/\/setsail.com\/wp-json\/wp\/v2\/posts\/14713\/revisions"}],"wp:attachment":[{"href":"https:\/\/setsail.com\/wp-json\/wp\/v2\/media?parent=14713"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/setsail.com\/wp-json\/wp\/v2\/categories?post=14713"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/setsail.com\/wp-json\/wp\/v2\/tags?post=14713"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}